According to the American automotive news website autoevolution reports, the BMW ConnectedDrive portal there are two“zero-day exploit”that could be used by hackers to control the multimedia device associated with the vehicle settings.
The so-called“zero-day”refers to not yet have a method of repair or patch the vulnerability. That is to say, Now there is no way to fix these vulnerabilities.
ConnectedDrive is the BMW car infotainment system name. The system can be in-car use, or through a series-connected mobile application allows drivers through the Mobile Device Management of vehicle settings. The service has a mobile app and web version. According to media Softpedia reported, the ConnectedDrive web version seems to be the security chain the weakest link.
Vulnerability Labs Vulnerability Lab security researcher Benjamin koontz·Mei Jerry Benjamin Kunz Mejri has been in the BMW ConnectedDrive portal on the release of the above two“zero-day”。 He has advance notice of the BMW and 5 months ago and BMW is aware of this matter.
This two vulnerabilities, one of which allows the user to access another user of the vehicle identification code VIN is. The VIN is for each user account of the vehicle ID. VIN code backup vehicle ConnectedDrive set to the user's account. In the portal changes to these devices will change the car settings, and included with the application. Its a safety hazard that, in addition to the ability to change the vehicle Radio preset addition, hackers can also open the user's e-mail, control the route, lock or unlock the vehicle. Hackers obtain the user's driving route, the user can know the Parking place, it is possible by remote unlock stolen vehicle. A second vulnerability is the portal password reset page cross-site scripting failure, which may bring phishing attacks and other computer security issues. The BMW company has not yet been published for this event in the comments.